Skip to content

Commit

Permalink
Merge pull request #7 from OWASP/Snbig-patch-1
Browse files Browse the repository at this point in the history 
Create 13.1.3.yaml
  • Loading branch information
@Snbig
Snbig authored Dec 3, 2024
2 parents cd270b5 + 1bdae42 commit 940965a
Showing 1 changed file with 44 additions and 0 deletions.
44 changes: 44 additions & 0 deletions templates/headless/13.1.3.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
id: ASVS-4-0-3-V13-1-3

info:
name: ASVS 13.1.3 Check
author: Hamed Salimian
severity: medium
classification:
cwe-id: CWE-598
reference:
- https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html
- https://github.com/danielmiessler/SecLists/blob/master/Discovery/Variables/secret-keywords.txt
- https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/session-id.txt
tags: asvs,13.1.3
description: |
Verify API URLs do not expose sensitive information, such as the API key, session tokens etc.
headless:
- steps:
- args:
url: "{{BaseURL}}"
action: navigate

- action: waitload

- action: script
name: urls
args:
code: |
() => {
return [...new Set(Array.from(document.querySelectorAll('[src], [href], [url], [action]')).map(i => i.src || i.href || i.url || i.action))].join('\r\n')
}
extractors:
- type: regex
part: urls
regex:
- (i?)(https?|wss?)://[^\s?]+(?:\?|&)(?:session|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+

matchers:
- type: regex
part: urls
regex:
- (i?)(https?|wss?)://[^\s?]+(?:\?|&)(?:session|ASP.NET_SessionId|ASPSESSIONID|SITESERVER|cfid|cftoken|jsessionid|sessid|sid|viewstate|zenid|PHPSESSID|ConsumerKey|ConsumerSecret|DB_USERNAME|HEROKU_API_KEY|HOMEBREW_GITHUB_API_TOKEN|JEKYLL_GITHUB_TOKEN|PT_TOKEN|SESSION_TOKEN|SF_USERNAME|SLACK_BOT_TOKEN|access-token|access_token|access_token_secret|accesstoken|admin|api-key|api_key|api_secret_key|api_token|auth_token|authkey|authorization|authorization_key|authorization_token|authtoken|aws_access_key_id|aws_secret_access_key|bearer|bot_access_token|bucket|client-secret|client_id|client_key|client_secret|clientsecret|consumer_key|consumer_secret|dbpasswd|email|encryption-key|encryption_key|encryptionkey|id_dsa|irc_pass|key|oauth_token|pass|password|private_key|private-key|privatekey|secret|secret-key|secret_key|secret_token|secretkey|secretkey|session_key|session_secret|slack_api_token|slack_secret_token|slack_token|ssh-key|ssh_key|sshkey|token|username|xoxa-2|xoxr)=[^&\s]+

0 comments on commit 940965a

Please sign in to comment.